Report: Anonymous Turns To Denial Of Service Attacks As A Last Resort

Robert Vamosi
, ContributorI am an award-winning information security writer and a CISSPOpinions expressed by Forbes Contributors are their own.

In 2011, members of Anonymous targeted a major organization, first posting recruiting videos on YouTube and then making various tools available to volunteers worldwide to download and use during a planned attack. But the target was ready; its security defenses held against the onslaught of vigilantes online. Its files were not stolen. Its Web sites did not go down.

"The good thing about Hacktivism is that it is loud and pre-announced," said Amichai Shulman, chief technology officer at Imperva. On Monday the company, which specializes in data protection, issued a report detailing the unsuccessful attack without identifying the actual target. The New York Times has said the group's target was the Vatican, a claim Imperva would neither confirm nor deny.

Indeed, the target may not be important. "What we were able to see is how it actually started, what were the tools that they were using," said Shulman.

According to the report, Anonymous spent the first 18 days recruiting volunteers, using Facebook and Twitter to get their message out. YouTube videos then supplemented the text messages, explaining the alleged crimes the target committed. But all that was bluster, said Imperva, perhaps a cover for a failed attempt to exfiltrate data from the SQL database on their own.

"Initially it was a small group of people, professionals who knew how to use the tools, and knew how to protect their identities," said Shulman. "They knew how to look for stuff, and if they had succeeded (in finding what they wanted), they would not have needed all the volunteers," he concluded.

On Day 19, the group started scanning the target's Web site, looking for vulnerabilities such as cross-site scripting (XSS), SQL injection, and Directory Trasversal. What Imperva learned from its logs during this period were the exact tools used by Anonymous to scan the target site. Among these: the Havij Scanner, a tool used by penetration testers to look for SQL injection vulnerabilities; the Accunetix Scanner, a tool used for detecting SQL injection, cross-site scripting and other vulnerabilities; and the Nikto Scanner, a tool for detecting outdated server software and other problems. Upon finding no vulnerabilities to exploit, the group turned to Plan B, a Distributed Denial of Service (DDoS) attack.

On Day 22 the group started conducting its DoS reconnaissance. Using the Onion Router (TOR), a network that obfuscates the origin of the attacker, the group searched the target site repeatedly using what Imperva termed a "test" word. Later the group used the URL of the various servers responding to the search query for the DDoS attack.

The DDoS attacks, using downloadable tools such as JavaScript and Low Orbit Ion Cannon (LIOC), lasted two days, and generated about half a million traffic hits at its peak. Eleven percent of the volunteers used the Anonymous proxy to mask their origin, but Imperva found a majority of the attackers came from at least four different countries, meaning these individuals did not mask their identities. Additionally, a few thousand of the attackers used mobile devices.

Shulman believes what his security tools witnessed last year was not unusual. And the report, part of the company's monthly Hacker Intelligence Initiative, sheds valuable insight on the process. "I think looking forward it helps us to realize what is actually behind this kind of threat and how you can mitigate against it."